====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN140
_____________________________________________________________________

DATE                : 05/03/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Asterisk Open Source versions prior
                                 to 16.16.2, 17.9.3, 18.2.2,
                       Certified Asterisk versions prior to 16.8-cert7.

=====================================================================
http://downloads.asterisk.org/pub/security/AST-2021-006.html
_____________________________________________________________________


Asterisk Project Security Advisory - AST-2021-006

Product                 Asterisk
Summary                 Crash when negotiating T.38 with a zero port
Nature of Advisory      Remote Crash
Susceptibility          Remote Authenticated Sessions
Severity                Minor
Exploits Known          No
Reported On             February 20, 2021
Reported By             Gregory Massel
Posted On               March 4, 2021
Last Updated On         March 4, 2021
Advisory Contact        bford AT sangoma DOT com
CVE Name                CVE-2019-15297



Description
	

When Asterisk sends a re-invite initiating T.38 faxing and the endpoint
responds with a m=image line and zero port, a crash will occur in
Asterisk. This is a reoccurrence of AST-2019-004.

Modules Affected       res_pjsip_t38.c


Resolution             If T.38 faxing is not required then setting
                       “t38_udptl” on the endpoint to “no” disables this
                       functionality. This option is “no” by default.

                       If T.38 faxing is required, then Asterisk should
                       be upgraded to a fixed version.


                        Affected Versions

Product                    Release Series
	
Asterisk Open Source       16.x              16.16.1

Asterisk Open Source       17.x              17.9.2

Asterisk Open Source       18.x              18.2.1

Certified Asterisk         16.x              16.8-cert6


                            Corrected In

Product                    Release

Asterisk Open Source       16.16.2, 17.9.3, 18.2.2

Certified Asterisk         16.8-cert7


Patches

Patch URL                     Revision

https://downloads.digium.com/pub/security/AST-2021-006-16.diff
	Asterisk 16

https://downloads.digium.com/pub/security/AST-2021-006-17.diff
	Asterisk 17

https://downloads.digium.com/pub/security/AST-2021-006-18.diff
	Asterisk 18

https://downloads.digium.com/pub/security/AST-2021-006-16.8.diff
	Certified Asterisk 16.8



Links
	
https://issues.asterisk.org/jira/browse/ASTERISK-29203
https://downloads.asterisk.org/pub/security/AST-2021-006.html


Asterisk Project Security Advisories are posted at
http://www.asterisk.org/security

This document may be superseded by later versions; if so, the latest
version will be posted at
https://downloads.digium.com/pub/security/AST-2021-006.pdf and
https://downloads.digium.com/pub/security/AST-2021-006.html


Revision History

Date                   Editor             Revisions Made

February 25, 2021      Ben Ford           Initial revision

March 4, 2021          Ben Ford           Added ‘posted on’ date


Asterisk Project Security Advisory - AST-2021-006
Copyright © 02/25/2021 Digium, Inc. All Rights Reserved.
Permission is hereby granted to distribute and publish this advisory in
its original, unaltered form.


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================